By combining Snyk SAST and Bright DAST, users can more comprehensively validate their Snyk SAST issues. This approach reduces false positives and improves the reliability of vulnerability assessments, providing a more robust and trustworthy experience.

This is how the Snyk integration works:

1. Bright continuously reviews all Snyk SAST issues
2. The Bright integration identifies a test for each Snyk issue
3. A list of tests is collected for each project
4. The Bright app runs selected tests and provides a list of validated issues
5. Each Bright issue is linked with a corresponding Snyk SAST issue

Prerequisites

• Created a project in Snyk using an Org Admin service account
• Obtained Snyk organization ID and API key (token)

Step-by-step guide

1. Open the Organization page → Integration section

2. Select the Snyk → Settings

3. Provide Snyk organization ID and organization API key and click Connect

   

4. Create a project and select permissions: Projects → Create project → Type the project name and select groups that can access this project → click Create

   👍

   Important:

   One Bright project can be connected with one Snyk project only. For more integrations new projects should be created.

5. Open the Project page → Integration Settings → Add integration

6. Select a Snyk project, associate a Repository and click Save

7. Configure Issue Severity:

   • Minimal severity - select from Critical, High, Medium, Low, None options. For example, when choosing High, you will only get Critical and High severity issues.
   • Minimal Snyk Score to validate - use this field to filter issues imported to Bright. For example, when selecting 750, you will get only those above this score.
   

8. Open the Scans page → Create a new scan, select the project created earlier and click Start Scan

The Snyk project contains a list of tests to perform; manual test selection will be unavailable.

How to review performed tests

To see a list of tests provided by the Snyk project, do the following:

• Open the Scans page → select a scan
• click the Configuration tab and scroll down to Tests to run

Scan results

After the tests are completed, a scan page will display a list of issues found. To view a brief, point at the i symbol next to the project name:

• SAST vulnerabilities: all vulnerabilities imported from the Snyk SAST project
• Validated by Bright: number of Snyk vulnerabilities tested by the Bright DAST
• Bright finding: Snyk vulnerabilities found by the Bright DAS

To look deeper at the scan results, open the Snyk Vulnerabilities tab. You can filter the results and adjust the table. To open a vulnerability in your Snyk project, click on the title, and a new tab will appear. To open an issue on your Bright project, click on the item in the Bright finding column.